Thursday, March 15, 2018
Why the local marketing vault is different
Saturday, March 3, 2018
Friday Squid Blogging: Searching for Humboldt Squid with Electronic Bait
Video and short commentary.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
from Friday Squid Blogging: Searching for Humboldt Squid with Electronic Bait
Malware from Space
Since you don't have enough to worry about, here's a paper postulating that space aliens could send us malware capable of destroying humanity.
Abstract: A complex message from space may require the use of computers to display, analyze and understand. Such a message cannot be decontaminated with certainty, and technical risks remain which can pose an existential threat. Complex messages would need to be destroyed in the risk averse case.
I think we're more likely to be enslaved by malicious AIs.
from Malware from Space
Friday, March 2, 2018
Explained: SQL injection
 |
|
| SQL injection is one of the most common attacks against businesses, with a high rate of success. So what can you do to prevent them?
Categories: Tags: breachcodedrop tableinjectionphp. aspquerysqlSQL injection |
The post Explained: SQL injection appeared first on Malwarebytes Labs.
The post Explained: SQL injection appeared first on Security Boulevard.
from Explained: SQL injection
More people dying in a fire: petroleum-based skin products to blame
An investigation has started to reveal that the practice of putting a distillate of petroleum (parrafin) on your body can lead to a very painful fiery death. Firefighter Chris Bell, who is a watch commander with West Yorkshire Fire and Rescue Service, says the actual number of deaths linked to the creams is likely to […]
The post More people dying in a fire: petroleum-based skin products to blame appeared first on Security Boulevard.
from More people dying in a fire: petroleum-based skin products to blame
Security Boulevard’s 5 Most-Read Stories for the Week, Feb. 26-Mar. 2
Another week has gone by with our fair share of security stories. This week Flight Simulator Passwords, IoT Security, and PCI Compliance and GDPR dominated the headlines, as well as the Recent Flash Zero-Day attacks. Missed out on any of the news this week? Here are the five most-read stories on Security Boulevard to help..
The post Security Boulevard’s 5 Most-Read Stories for the Week, Feb. 26-Mar. 2 appeared first on Security Boulevard.
from Security Boulevard’s 5 Most-Read Stories for the Week, Feb. 26-Mar. 2
PhishLabs Launches Future of Cybersecurity Scholarship Program
Today, PhishLabs is proud to announce the launch of our new annual scholarship program that is focused on furthering professionals interested in the growing world of cybersecurity. Dubbed the Future of Cybersecurity Scholarship Program, we will be able to help fuel student’s growth into one of the most in-demand industries.
The post PhishLabs Launches Future of Cybersecurity Scholarship Program appeared first on Security Boulevard.
from PhishLabs Launches Future of Cybersecurity Scholarship Program
Phishing Phish, Unicode Style
Graham Cluley, writing at his eponymous blog, educates us in protecting the browser from Unicode Phishing Attacks. Today's MustRead.
The post Phishing Phish, Unicode Style appeared first on Security Boulevard.
from Phishing Phish, Unicode Style
Is Google IdP a Directory Service?
Google has a long history of taking up arms against Microsoft with services like Gmail and G Suite. So, it makes sense that IT admins are wondering if Google’s next...
The post Is Google IdP a Directory Service? appeared first on JumpCloud.
The post Is Google IdP a Directory Service? appeared first on Security Boulevard.
from Is Google IdP a Directory Service?
Global Cost of Cybercrime on the Rise
Introduction Cyber-criminal activities worldwide continue to increase, in many cases, organized crime rings operate worldwide, and their profits are very high. The consolidation of a model of sales...
Go on to the site to read the full article
The post Global Cost of Cybercrime on the Rise appeared first on Security Boulevard.
from Global Cost of Cybercrime on the Rise
6 Tips for Securing Privileged Accounts in the Enterprise
Protecting privileged accounts and actively responding to any potential compromises has become a critical initiative for many CISOs. Stolen credentials are at the heart of most all modern attacks and breaches. Attackers can easily obtain credentials via phishing attacks, brute force, keyloggers, pass-the-hash techniques, or using a database of previously stolen credentials. And once an account is compromised, the attacker can see and do anything that is allowed for that user or account.
The post 6 Tips for Securing Privileged Accounts in the Enterprise appeared first on Security Boulevard.
from 6 Tips for Securing Privileged Accounts in the Enterprise
Top 6 iPhone Hacking Tools for Mobile Penetration Testers
As your career in cybersecurity or computer forensics progresses, you will no doubt come across one of Apple’s most popular devices ever made: the Apple iPhone. In this article, we outline the use...
Go on to the site to read the full article
The post Top 6 iPhone Hacking Tools for Mobile Penetration Testers appeared first on Security Boulevard.
from Top 6 iPhone Hacking Tools for Mobile Penetration Testers
Another Ransomware Variant Strikes Colorado DOT Days after Initial Attack
Colorado’s Department of Transportation (CDOT) has suffered an infection from another variant of the same ransomware family that attacked it just days earlier. On 1 March, a variant of SamSam ransomware targeted employees at CDOT. The attack didn’t hamper the Department’s Traffic Operations Center, the Colorado Governor’s Office of Information Technology (OIT) told KUSA-TV. But […]… Read More
The post Another Ransomware Variant Strikes Colorado DOT Days after Initial Attack appeared first on The State of Security.
The post Another Ransomware Variant Strikes Colorado DOT Days after Initial Attack appeared first on Security Boulevard.
from Another Ransomware Variant Strikes Colorado DOT Days after Initial Attack
Thursday, March 1, 2018
Russians Hacked the Olympics
Two weeks ago, I blogged about the myriad of hacking threats against the Olympics. Last week, the Washington Post reported that Russia hacked the Olympics network and tried to cast the blame on North Korea.
Of course, the evidence is classified, so there's no way to verify this claim. And while the article speculates that the hacks were a retaliation for Russia being banned due to doping, that doesn't ring true to me. If they tried to blame North Korea, it's more likely that they're trying to disrupt something between North Korea, South Korea, and the US. But I don't know.
from Russians Hacked the Olympics
1 in 50 publicly readable Amazon buckets are also writable – and that’s a data disaster waiting to happen
Now is not the time to dilly-dally. If you haven’t already properly secured the Amazon Web Services S3 servers (known as “buckets”) storing your sensitive data in the cloud then your business has no time to lose.
The post 1 in 50 publicly readable Amazon buckets are also writable – and that’s a data disaster waiting to happen appeared first on Security Boulevard.
from 1 in 50 publicly readable Amazon buckets are also writable – and that’s a data disaster waiting to happen
Tripwire Patch Priority Index for February 2018
Tripwire’s February 2018 Patch Priority Index (PPI) brings together the top vulnerabilities from Microsoft, Adobe, and Oracle. BULLETIN CVE Adobe Flash APSB18-03 CVE-2018-4878, CVE-2018-4877 Microsoft Browser CVE-2018-0763, CVE-2018-0839, CVE-2018-0771 Microsoft Scripting Engine CVE-2018-0840, CVE-2018-0860, CVE-2018-0861, CVE-2018-0866, CVE-2018-0838, CVE-2018-0859, CVE-2018-0857, CVE-2018-0856, CVE-2018-0835, CVE-2018-0834, CVE-2018-0837, CVE-2018-0836 Microsoft Office CVE-2018-0853, CVE-2018-0851 Microsoft Outlook CVE-2018-0850, CVE-2018-0852 Microsoft SharePoint CVE-2018-0864, […]… Read More
The post Tripwire Patch Priority Index for February 2018 appeared first on The State of Security.
The post Tripwire Patch Priority Index for February 2018 appeared first on Security Boulevard.
from Tripwire Patch Priority Index for February 2018
Facebook’s Ad Confirmation Process Won’t Stop the Russians
Without a doubt, if you are on the advertising services side of the Facebook house you’ve been sitting in a kitchen with the oven on broil and all four burners on high—the kitchen is hot. The social network is being viewed by many as culpable in allowing the Russian intelligence services to use their advertising..
The post Facebook’s Ad Confirmation Process Won’t Stop the Russians appeared first on Security Boulevard.
from Facebook’s Ad Confirmation Process Won’t Stop the Russians
AskRob: Does Tor let government peek at vuln info?
On Twitter, somebody asked this question:
@ErrataRob comments?— E. Harding🇸🇾, друг народа (anti-Russia=block) (@Enopoletus) March 1, 2018
Discussion
Conclusion
The post AskRob: Does Tor let government peek at vuln info? appeared first on Security Boulevard.
from AskRob: Does Tor let government peek at vuln info?
Data Integrity: The Next Big Challenge
Many of us in the cybersecurity world have followed this general mantra: protect the data, protect the data, protect the data. It’s a good mantra to follow, and ultimately that is what we are all trying to do. But there are different ways to protect data. The obvious method is to make sure it doesn’t […]… Read More
The post Data Integrity: The Next Big Challenge appeared first on The State of Security.
The post Data Integrity: The Next Big Challenge appeared first on Security Boulevard.
from Data Integrity: The Next Big Challenge
Why Cyber Security is the New Health and Safety
Many people view the Health and Safety at Work Act 1974 as unnecessary and burdensome, but its introduction has had a dramatic impact on reducing accidents in the workplace, particularly within industrial settings. Today, it controls the safety of equipment used on process plants, the time professional drivers may spend behind the wheel, and even […]… Read More
The post Why Cyber Security is the New Health and Safety appeared first on The State of Security.
The post Why Cyber Security is the New Health and Safety appeared first on Security Boulevard.
from Why Cyber Security is the New Health and Safety
Book highlights: “Hit refresh” by Satya Nadella
Very telegraphically, these are my impressions after reading "Hit Refresh":
- Impressive human being. He tells you how his personal experiences have shaped him, not only personally but also professionally.
Some of the ideas worth exploring that appear in the book are the following:
- Leadership is definitely an art.
- Empathy and compassion are skills leaders should have.
- We need to work comfortably with change and impermanence.
- "To be a leader here, oyur job is to find rose petals in a field of shit".
- The leader needs to link every employee's passion with the raison d'etre of the company.
- A sustainable ecosystem is required for a company to survive.
- Provide the environment for employees to find their personal balance.
- Other important topics: The link of technology, freedom and customers.
- The responsibility of a technology company with the world and the human beings.
- Most importantly, he also makes mistakes and learn from them.
- He is aware of the need to equally treat women and men in technology companies.
 |
| Learning every day |
The post Book highlights: “Hit refresh” by Satya Nadella appeared first on Security Boulevard.
from Book highlights: “Hit refresh” by Satya Nadella
Computer Forensics: Online Gaming and VR Forensics
Introduction With the expansion of technology, such as virtual reality simulators, it’s only natural that with progress comes setbacks, especially when it comes to security breaches. With the VR...
Go on to the site to read the full article
The post Computer Forensics: Online Gaming and VR Forensics appeared first on Security Boulevard.
from Computer Forensics: Online Gaming and VR Forensics
Computer Forensics: ICS/SCADA Forensics
Overview Control system security is the practice of using security methods to prevent intentional or unintentional interference with the operation of industrial automation and control systems. These...
Go on to the site to read the full article
The post Computer Forensics: ICS/SCADA Forensics appeared first on Security Boulevard.
from Computer Forensics: ICS/SCADA Forensics
Computer Forensics: Big Data Forensics
What is Big Data? In the computing world, there’s data—and then there’s big data. Described as a collection of information from traditional and digital sources of all kinds, big data is the pool of...
Go on to the site to read the full article
The post Computer Forensics: Big Data Forensics appeared first on Security Boulevard.
from Computer Forensics: Big Data Forensics
Wednesday, February 28, 2018
Apple to Store Encryption Keys in China
Apple is bowing to pressure from the Chinese government and storing encryption keys in China. While I would prefer it if it would take a stand against China, I really can't blame it for putting its business model ahead of its desires for customer privacy.
from Apple to Store Encryption Keys in China
NXP Integrates Layerscape Family of Arm-based Processors with Microsoft Azure IoT for Secure Edge Computing
NUREMBERG, Germany, Feb. 27, 2018 (GLOBE NEWSWIRE) — NXP Semiconductors N.V. (NASDAQ:NXPI), a worldwide leader in advanced secure connectivity solutions, today announced that its NXP Layerscape System-on-Chip (SoC) platforms are integrated with Microsoft Azure IoT Edge. The result is that developers can easily create a variety of ready-to-use applications within the rich framework provided by … Continue reading "NXP Integrates Layerscape Family of Arm-based Processors with Microsoft Azure IoT for Secure Edge Computing"
The post NXP Integrates Layerscape Family of Arm-based Processors with Microsoft Azure IoT for Secure Edge Computing appeared first on Trusted Computing Group.
The post NXP Integrates Layerscape Family of Arm-based Processors with Microsoft Azure IoT for Secure Edge Computing appeared first on Security Boulevard.
from NXP Integrates Layerscape Family of Arm-based Processors with Microsoft Azure IoT for Secure Edge Computing
Business Email Compromise: The Secret Billion Dollar Threat
BEC, or Business Email Compromise, is a contemporary twist on a staple scam. Often in the shadow of the more extravagant, media-friendly super-hacks or ransomware compromises, Business Email Compromise is leading the line on both the number of attack victims AND the direct losses encountered by businesses. Although not as en vogue as other ‘nouveau’ […]… Read More
The post Business Email Compromise: The Secret Billion Dollar Threat appeared first on The State of Security.
The post Business Email Compromise: The Secret Billion Dollar Threat appeared first on Security Boulevard.
from Business Email Compromise: The Secret Billion Dollar Threat
A Guide to PCI DSS Merchant Levels and Penetration Testing
In order to distinguish the sizes of merchant companies and appropriately determine the level of testing required, the founding credit card companies created four different brackets ranging from Tier 1 to 4. Each tier is based on the number of transactions processed per year by the merchant and also dictates the testing a merchant must […]… Read More
The post A Guide to PCI DSS Merchant Levels and Penetration Testing appeared first on The State of Security.
The post A Guide to PCI DSS Merchant Levels and Penetration Testing appeared first on Security Boulevard.
from A Guide to PCI DSS Merchant Levels and Penetration Testing
The user awareness landscape
Overall, technologies can be pretty straightforward to secure. Teach software not to execute a certain command, block a port, or alert on a set of conditions, and it will abide. Humans, on the other hand are not as easy to harden against attacks. These attacks are frequently delivered through emails, text messages, social media, or […]
The post The user awareness landscape appeared first on Security Boulevard.
from The user awareness landscape
How to Create an Effective Incident Response Plan
Introduction An organization’s incident response plan (IRP) should be their first line of defense against attacks and threats. IRPs are manuals that describe how organizations detect and limit the...
Go on to the site to read the full article
The post How to Create an Effective Incident Response Plan appeared first on Security Boulevard.
from How to Create an Effective Incident Response Plan
Computer Forensics: The Computer Hacking Forensics Investigator (CHFI) Certification
Introduction In today’s Cyber security world, the ability to conduct a proper forensics investigation at the scene of a crime is of utmost importance. It takes a highly qualified individual to...
Go on to the site to read the full article
The post Computer Forensics: The Computer Hacking Forensics Investigator (CHFI) Certification appeared first on Security Boulevard.
from Computer Forensics: The Computer Hacking Forensics Investigator (CHFI) Certification
The TENTH Annual Disaster Recovery Breakfast: Are you F’ing Kidding Me?
Posted under: General
What was the famous Bill Gates quote? “We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten.” Well, we at Securosis actually can gauge that accurately given this is the TENTH annual RSA Conference Disaster Recovery Breakfast.
I think pretty much everything has changed over the past 10 years. Except that stupid users still click on things they shouldn’t. And auditors still give you a hard time about stuff that doesn’t matter. And breaches still happen. But we aren’t fighting for budget or attention much anymore. If anything, they beat a path to your door. So there’s that. It’s definitely a “be careful what you wish for” situation. We wanted to be taken seriously. But probably not this seriously.
We at Securosis are actually more excited for the next 10 years, and having been front and center on this cloud thing we believe over the next decade the status quo of both security and operations will be fundamentally disrupted. And speaking of disruption, we’ll also be previewing our new company – DisruptOPS at breakfast, if you are interested.
We remain grateful that so many of our friends, clients, and colleagues enjoy a couple hours away from the insanity that is the RSAC. By Thursday it’s very nice to have a place to kick back, have some quiet conversations, and grab a nice breakfast. Or don’t talk to anyone at all and embrace your introvert – we get that too.
The DRB happens only because of the support of CHEN PR, LaunchTech, CyberEdge Group, and our media partner Security Boulevard. Please make sure to say hello and thank them for helping support your recovery.
As always the breakfast will be Thursday morning (April 19) from 8-11 at Jillian’s in the Metreon. It’s an open door – come and leave as you want. We will have food, beverages, and assorted non-prescription recovery items to ease your day. Yes, the bar will be open. You know how Mike likes the hair of the dog.
Please remember what the DR Breakfast is all about. No spin, no magicians (since booth babes were outlawed) and no plastic light sabers (much to Rich’s disappointment) -– it’s just a quiet place to relax and have muddled conversations with folks you know, or maybe even go out on a limb and meet someone new. We are confident you will enjoy the DRB as much as we do.
To help us estimate numbers, please RSVP to rsvp (at) securosis (dot) com.
- Mike Rothman
(0) Comments
Subscribe to our daily email digest
The post The TENTH Annual Disaster Recovery Breakfast: Are you F’ing Kidding Me? appeared first on Security Boulevard.
from The TENTH Annual Disaster Recovery Breakfast: Are you F’ing Kidding Me?
More Free/Open Source Computer Forensics Tools
Introduction Nowadays, the number of security incidents have increased. If an organization’s business is paralyzed by an unwanted or unforeseen event, the business needs to recover and to...
Go on to the site to read the full article
The post More Free/Open Source Computer Forensics Tools appeared first on Security Boulevard.
from More Free/Open Source Computer Forensics Tools
Key Takeaways: Retail Threat Briefing Webinar with R-CISC
In the era of Amazon and mainstream e-commerce, every online retailer has to deliver a compelling user experience across their web and mobile channels while protecting customers from cyberattacks and fraud. Recently, Shape collaborated with R-CISC to share attack data and analysis of the most prevalent threats for retailers and best practices on how Top … Continue reading "Key Takeaways: Retail Threat Briefing Webinar with R-CISC"
The post Key Takeaways: Retail Threat Briefing Webinar with R-CISC appeared first on Security Boulevard.
from Key Takeaways: Retail Threat Briefing Webinar with R-CISC
Tuesday, February 27, 2018
Cellebrite Unlocks iPhones for the US Government
Forbes reports that the Israeli company Cellebrite can probably unlock all iPhone models:
Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.
[...]
It also appears the feds have already tried out Cellebrite tech on the most recent Apple handset, the iPhone X. That's according to a warrant unearthed by Forbes in Michigan, marking the first known government inspection of the bleeding edge smartphone in a criminal investigation. The warrant detailed a probe into Abdulmajid Saidi, a suspect in an arms trafficking case, whose iPhone X was taken from him as he was about to leave America for Beirut, Lebanon, on November 20. The device was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapids labs and the data extracted on December 5.
This story is based on some excellent reporting, but leaves a lot of questions unanswered. We don't know exactly what was extracted from any of the phones. Was it metadata or data, and what kind of metadata or data was it.
The story I hear is that Cellebrite hires ex-Apple engineers and moves them to countries where Apple can't prosecute them under the DMCA or its equivalents. There's also a credible rumor that Cellebrite's mechanisms only defeat the mechanism that limits the number of password attempts. It does not allow engineers to move the encrypted data off the phone and run an offline password cracker. If this is true, then strong passwords are still secure.
from Cellebrite Unlocks iPhones for the US Government
Securely Moving Workloads to the Cloud
One debate is about the security of the Cloud and the Cloud provider. Once you decide to go there, the next question is about how to get it done. There are a few key and basic concepts to be followed. First and foremost you need to understand, which responsibilities you are moving with the workload…
The post Securely Moving Workloads to the Cloud appeared first on Security Boulevard.
from Securely Moving Workloads to the Cloud
Israeli forensics firm claims it can unlock any iPhone on iOS 5 to iOS 11
A company based in Israel has become the go-to entity for unlocking virtually any iDevice sold by Apple running iOS 5 to 11, according to anonymous sources. Apple puts a great deal of effort into locking down its hardware from prying eyes to ensure the privacy of end users. It goes as far as to […]
The post Israeli forensics firm claims it can unlock any iPhone on iOS 5 to iOS 11 appeared first on Security Boulevard.
from Israeli forensics firm claims it can unlock any iPhone on iOS 5 to iOS 11
A Dozen Connecticut State Agencies Targeted by WannaCry Ransomware
Government officials have revealed that WannaCry ransomware affected more than 100 computers at a dozen Connecticut state agencies. According to Connecticut’s Department of Administrative Services (DAS), state officials detected the digital attack against 160 computers at 12 state agencies on 23 February. Jeffrey Beckham, a spokesperson for the agency, says that IT personnel worked on […]… Read More
The post A Dozen Connecticut State Agencies Targeted by WannaCry Ransomware appeared first on The State of Security.
The post A Dozen Connecticut State Agencies Targeted by WannaCry Ransomware appeared first on Security Boulevard.
from A Dozen Connecticut State Agencies Targeted by WannaCry Ransomware
Cellebrite Unlocks iPhones for the US Government
Forbes reports that the Israeli company Cellebrite can probably unlock all iPhone models: Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X,...
The post Cellebrite Unlocks iPhones for the US Government appeared first on Security Boulevard.
from Cellebrite Unlocks iPhones for the US Government
42% of Organizations Experienced Burst Attacks; The Rest Were Unaware They Were Attacked
One of the prominent trends in 2017 was an increase in short-burst attacks, which have become more complex, more frequent and longer in duration. Burst tactics are typically used against gaming websites and service providers due to their sensitivity to service availability as well as their inability to sustain such attack maneuvers. Timely or random […]
The post 42% of Organizations Experienced Burst Attacks; The Rest Were Unaware They Were Attacked appeared first on Radware Blog.
The post 42% of Organizations Experienced Burst Attacks; The Rest Were Unaware They Were Attacked appeared first on Security Boulevard.
from 42% of Organizations Experienced Burst Attacks; The Rest Were Unaware They Were Attacked
What?s It Take To Be Tomorrow?s CISO?
A new Security for Business Innovation Council (SBIC) report explores both the incremental and transformational skills required for current and future CISO success. Learn which fundamental technology and security capabilities matter most and which unexpected skills CISOs will need to acquire to drive business success.
The post What?s It Take To Be Tomorrow?s CISO? appeared first on Security Boulevard.
from What?s It Take To Be Tomorrow?s CISO?
Cloud Computing Basics
At its simplest level, cloud computing means using someone else’s computer. This gives you rapid access to computing power, storage, and network services that can help you scale your operation up or down, depending on your requirements. Cloud is a technology buzzword with many meanings. Dropbox is cloud. Microsoft Office 365 is cloud. Salesforce is…
The post Cloud Computing Basics appeared first on CCSI.
The post Cloud Computing Basics appeared first on Security Boulevard.
from Cloud Computing Basics
Establishing trust in mobile payments
At the start of the year, Thales released the findings of its latest annual global Data Threat Report which found...
The post Establishing trust in mobile payments appeared first on Data Security Blog | Thales e-Security.
The post Establishing trust in mobile payments appeared first on Security Boulevard.
from Establishing trust in mobile payments
Behavioral Biometrics – A Discreet Layer of Security for Mobile Apps
The following article, authored by Giovanni Verhaeghe, Director Market and Product Strategy, VASCO, first appeared 2/4/2018 in the Financial IT.net blog. Mobile banking apps and the devices they run on are increasingly at risk for compromise by cybercriminals. New, sophisticated methods of attack have rendered the classic username-password scheme outright obsolete. Even the more secure but still basic two-factor authentication seems insufficient, as hackers have found ways to dupe users... Read more
The post Behavioral Biometrics – A Discreet Layer of Security for Mobile Apps appeared first on VASCO Data Security - Blog.
The post Behavioral Biometrics – A Discreet Layer of Security for Mobile Apps appeared first on Security Boulevard.
from Behavioral Biometrics – A Discreet Layer of Security for Mobile Apps
The Five Attributes Needed to Succeed at DevSecOps
It’s hard to believe but the conversation around how security fits in DevOps has been going on for years. It was in 2012 when Gartner analyst Neil MacDonald wrote his blog DevOps Needs to Become DevOpsSec. In this blog MacDonald wrote “DevOps seeks to bridge the development and operations divide through the establishment of a culture of trust and shared interest among individuals in these previously siloed organizations. However, this vision is incomplete without the incorporation of information security, which represents yet another silo in IT.”
The post The Five Attributes Needed to Succeed at DevSecOps appeared first on Security Boulevard.
from The Five Attributes Needed to Succeed at DevSecOps
Monday, February 26, 2018
From my Gartner Blog – It’s Not (Only) That The Basics Are Hard…
While working on our research for testing security practices, and also about BAS tools, I’ve noticed that a common question about adding more testing is “why not putting some real effort in doing the basics instead of yet another security test?”. After all, there is no point in looking for holes when you don’t even have a functional vulnerability management program, right?
But the problem is not about not doing the basics. It is about making sure the basics are in place! Doing the basics is ok, but making sure your basics are working is not trivial.
Think about the top 5 of the famous “20 Critical Security controls“:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
How do you know your processes to maintain devices and software inventories are working? What about the hardening, vulnerability management and privileged access management processes? How confident are you that they are working properly?
If you think about the volume and frequency of changes in the technology environment of a big organization, it’s easy to see how the basic security controls can fail. Of course, good processes are built with the verification and validation steps to catch exceptions and mistakes, but they still happen. This is a base rate problem: with the complexity and high number of changes in the environment, even the best process out there will leave a few things behind. And when it is about security…the “thing left behind” may be a badly maintained CMS exposed to the Internet, a CVSS 10 vulnerability, unpatched, a credential with excessive privileges and a weak (maybe even DEFAULT!) password.
I’ve seen many pentests where the full compromise was performed by the exploitation of those small mistakes and misconfigurations. The security team gets a report with a list of things to address that were really exceptions of processes that are doing a good job (again, you may argue that they are not doing a good job, but this is the point where I stop saying there’s no such thing as a perfect control). So they clean those things, double check the controls and think “this definitely will never happen again!”, just to be see the next test, one year after, also succeeding by exploiting a similar, but different combination of unnoticed issues.
And that’s one of the main value drivers for BAS. Choosing to deploy a tool like that is to recognize that even the good controls and processes will eventually fail, and put something that will continuously try to find those issues left behind. By doing that in an automated manner you can ensure to cover the entire* environment consistently and very frequently, reducing the time those issues will be exposed to real attackers. Is it another layer of control? Yes, it is. But an automated layer to keep the overhead to a minimum. If your basics are indeed working well the findings should also not be overwhelming to the point of becoming a distraction.
* – You may catch the funny gap in this rationale…you may also end up failing because the BAS tool is not checking the entire environment, due to an issue with inventory management. Or the tests are not working as intended because they are being blocked by a firewall that should have an exception rule for the tool; yes, this using BAS is also a control, so it may fail too!
The post It’s Not (Only) That The Basics Are Hard… appeared first on Augusto Barros.
from Augusto Barros http://ift.tt/2F82kSk
via IFTTT
The post From my Gartner Blog – It’s Not (Only) That The Basics Are Hard… appeared first on Security Boulevard.
from From my Gartner Blog – It’s Not (Only) That The Basics Are Hard…
USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online
In October 2017, KrebsOnSecurity warned that ne'er-do-wells could take advantage of a relatively new service offered by the U.S. Postal Service that provides scanned images of all incoming mail before it is slated to arrive at its destination address. We advised that stalkers or scammers could abuse this service by signing up as anyone in the household, because the USPS wasn't at that point set up to use its own unique communication system -- the U.S. mail -- to alert residents when someone had signed up to receive these scanned images.
The USPS recently told this publication that beginning Feb. 16 it started alerting all households by mail whenever anyone signs up to receive these scanned notifications of mail delivered to that address. The notification program, dubbed "Informed Delivery," includes a scan of the front and back of each envelope or package destined for a specific address.
The post USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online appeared first on Security Boulevard.
from USPS Finally Starts Notifying You by Mail If Someone is Scanning Your Snail Mail Online
BSides Leeds, Mark Carney’s ‘Pentesting Hardware And IoT’
The post BSides Leeds, Mark Carney’s ‘Pentesting Hardware And IoT’ appeared first on Security Boulevard.
from BSides Leeds, Mark Carney’s ‘Pentesting Hardware And IoT’
New Guide on How to Clean a Hacked Website
Our mission at Sucuri is to make the internet a safer place and that entails cleaning up hacked websites. We have teams who actively research website vulnerabilities and who are eager to share with you some tips on how to clean your hacked website.
We are happy to help the community learn the steps they can follow to get rid of a website hack.
You can find all our guides to website security in a section of our website dedicated to providing concise and comprehensive tips on different areas of website security.
Continue reading New Guide on How to Clean a Hacked Website at Sucuri Blog.
The post New Guide on How to Clean a Hacked Website appeared first on Security Boulevard.
from New Guide on How to Clean a Hacked Website
Top 5 Ways to Get Developer Application Security Buy-In [VIDEO]
The speed and scope of software development today is creating new challenges in ensuring the security of software. But they also create the opportunity to finally get application security right. Both the challenge and the opportunity stem, in part, from the fact that security is “shifting left.” The responsibility for ensuring the stability and security of software through production and customer usage is moving earlier in the cycle to include developers. This shift means security can get baked into code earlier, greatly increasing the chance of producing secure code without costly late-stage fixes.
But it also means a higher level of developer involvement in security, and often some work by the security team to get developers on board with the initiative. To ensure the success of your application security initiative, it’s essential to work closely with your developers so they understand the guidelines, strategies, policies, procedures and security risks involved with application security. What’s more, they must be prepared and equipped to operate securely within their particular development processes. Ryan O’Boyle, product security architect at CA Veracode, recently recorded a quick “chalkboard” video where he outlines our top 5 ways to get developer application security buy-in. Listen to Ryan as he walks you through:
Way No. 1: Timing: Bring in developers early in the planning process.
Way No. 2: Understanding: Learn about developers’ priorities and processes.
Way No. 3: Training: Most developers have no training on secure coding practices.
Way No. 4: Integrating: Work to integrate application security into existing developer tools and processes.
Way No. 5: Automating: Build tests into the pipeline through automation.
Watch Ryan’s short video get all the details on these five tactics, and set yourself up for AppSec success.
The post Top 5 Ways to Get Developer Application Security Buy-In [VIDEO] appeared first on Security Boulevard.
from Top 5 Ways to Get Developer Application Security Buy-In [VIDEO]
Report: The State of Cybersecurity in Florida
Just recently The Florida Center for Cybersecurity released their 2017 report, The State of Cybersecurity in Florida.
So what IS The Florida Center for Cybersecurity? It's a statewide agency located at USF in Tampa that works with all State University System of Florida institutions, industry, the military, government, and the community to build Florida's cybersecurity workforce.
The report is the first they've done. It looks at the cyber threat environment, workforce supply and demand, education and training opportunities, and research initiatives within the State of Florida.
In particular, here are some of its findings (and my comments):
In regards to the talent shortage:
- 68% of organizations surveyed report cyber staffing challenges.
- Compensation for mid- and junior-level positions in Florida is $5,000 to $10,000 per position higher than the national average.
Even reading further in the report, its not clear the authors know what the average is that people should be paid.
Next, there is an overview of the threats facing Florida businesses:
- Reports of corporate data breaches in Florida rose 17.8% between 2015 and 2016
- 41% of organizations surveyed report having suffered a breach
- Only 32% of organizations surveyed are confident they are prepared for a cyberattack
A look at the steps organizations are taking to mitigate these threats:
80% of organizations surveyed require all personnel to complete security training
87% of organizations surveyed technologically enforce strong passwords
More than 85% of organizations surveyed have disaster recovery and business continuity plans (though only 32% regularly test those plans)
Sadly, this doesn't surprise me. Employee security training is just security awareness training. But how good or effect is it? Again, how good are those BC/DR plans? Since only a third test them, who knows? Scary when you consider we have to worry about hurricanes, and we had Irma last year go thru the whole state.
I hope this will be an annual report. I would like to see a larger group providing information, tho it seems this one was pretty diverse in terms of location and industry.
Check it our yourself.
The post Report: The State of Cybersecurity in Florida appeared first on Security Boulevard.
from Report: The State of Cybersecurity in Florida
A week in security (February 19 – February 25)
 |
|
| A roundup of notable news stories from February 19–25, including drive-by download attacks on Chinese websites, Deepfakes programs being paired with cryptominers, and a review of GDPR guidelines.
Categories: Tags: avzhanddosdeepfakesfraudgdprimpersonationKrebsOnSecurityrecapsecuityweekly blog roundup |
The post A week in security (February 19 – February 25) appeared first on Malwarebytes Labs.
The post A week in security (February 19 – February 25) appeared first on Security Boulevard.
from A week in security (February 19 – February 25)
Best practices for securely moving workloads to Microsoft Azure
Azure is Microsofts cloud computing environment. It offers customers three primary service delivery models including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Adopting cloud technologies requires a shared responsibility model for security, with Microsoft responsible for certain controls and the customer others, depending on the service
The post Best practices for securely moving workloads to Microsoft Azure appeared first on Security Boulevard.
from Best practices for securely moving workloads to Microsoft Azure
A Deep Dive into Database Attacks [Part II]: Delivery and Execution of Malicious Executables through SQL commands (SQL Server)
An organization’s database servers are frequently the prime target of attackers. We recently started a new research project to learn more about database hacking, primarily to understand common database attacks, tools and techniques engaged by attackers. To conduct this research, we set up a honeypot net for popular SQL/NoSQL databases and then monitored access to […]
The post A Deep Dive into Database Attacks [Part II]: Delivery and Execution of Malicious Executables through SQL commands (SQL Server) appeared first on Security Boulevard.
from A Deep Dive into Database Attacks [Part II]: Delivery and Execution of Malicious Executables through SQL commands (SQL Server)
TPM Enables Secure Over-the-air Software Updates for Vehicles: It’s Here
Auto makers have long struggled with the recall issue. A significant portion of recalls are associated now with software updates to our rolling computers, aka cars. These increasingly complex systems of course require the same patches and updates any computing system needs. But in the case of cars, how do auto makers and dealers ensure … Continue reading "TPM Enables Secure Over-the-air Software Updates for Vehicles: It’s Here"
The post TPM Enables Secure Over-the-air Software Updates for Vehicles: It’s Here appeared first on Trusted Computing Group.
The post TPM Enables Secure Over-the-air Software Updates for Vehicles: It’s Here appeared first on Security Boulevard.
from TPM Enables Secure Over-the-air Software Updates for Vehicles: It’s Here
Sunday, February 25, 2018
Insider Enterprise Threats: User Activity Monitoring
This article is part 1 of 3 in the “Insider Enterprise Threats” series, outlining effective policies and practices for combating insider cyber security threats to the modern enterprise. Insider cyber security threats are much more prevalent than most of us realize. IBM estimates that 60% of all cyberattacks are perpetrated by those with insider access; […]… Read More
The post Insider Enterprise Threats: User Activity Monitoring appeared first on The State of Security.
The post Insider Enterprise Threats: User Activity Monitoring appeared first on Security Boulevard.
from Insider Enterprise Threats: User Activity Monitoring
New Report Offers Better Cybersecurity Definitions
The Council of Economic Advisers recently released a report that examines the cost of malicious cyber activity to the U.S. economy. The report cites many of the usual findings from the Verizon DBIR and Ponemon reports. Nothing new to those of us who live and breathe cybersecurity. However, the report caught my eye because it […]… Read More
The post New Report Offers Better Cybersecurity Definitions appeared first on The State of Security.
The post New Report Offers Better Cybersecurity Definitions appeared first on Security Boulevard.
from New Report Offers Better Cybersecurity Definitions
Fake Steam Desktop Authenticator steals account details
In this blog post, we'll have a quick look at fake versions of Steam Desktop Authenticator (SDA), which is a "desktop implementation of Steam's mobile authenticator app".
Lava from SteamRep brought me to the attention of a fake version of SDA floating around, which may be attempting to steal your Steam credentials.
Indeed, there are some fake versions - we'll discuss two of them briefly.
Fake version #1
The first fake version can be found on steamdesktopauthenticator[.]com. Note that the site is live.
 |
| Figure 1 - Fake SDA website |
When downloading the ZIP file from the website, and unzipping it, we notice the exact same structure as you would when fetching the legitimate package - with one difference: the main executable has been modified.
File details:
Name: Steam Desktop Authenticator.exe
MD5 hash: 872abdc5cf5063098c87d30a8fcd8414
File size: 1,4446 KB
Version: v1.0.9.1
Note that the current and real SDA version is 1.0.8.1, and its original file size is 1,444 KB - 2 bytes of difference can mean a lot. Figures 2 and 3 below show the differences.
 |
| Figure 2 - Sending credentials to steamdesktopauthenticator[.]com |
 |
| Figure 3 - Sending credentials to steamdesktop[.]com |
Indeed, it appears it also attempts to upload to another website - while digging a bit further, we can also observe an email address associated with the domains: mark.korolev.1990@bk[.]ru
While I was unable to immediately find a malicious fork with any of these domains, Mark has likely forked the original repository, made the changes - then deleted the fork. Another possibility is that the source was downloaded, and simply modified. However, it is more than likely the former option.
Fake version #2
This fake version was discovered while attempting to locate Mark's fork from the fake version above - here, we have indeed a malicious fork from GitHub, where trades/market actions appear to be intercepted, as shown in Figure 4 below.
 |
| Figure 4 - Malicious SDA fork (click to enhance) |
Currently, when trying to access the malicious site lightalex[.]ru with a bogus token, a simple "OK" is returned - it is currently unknown whether market modifications would be successful.
Interestingly enough, when digging deeper on this particular domain, which is currently hosted on 91.227.16[.]31, it had hosted other SteamStealer malware before, for example cs-strike[.]ru and csgo-knives[.]net.
The malicious fork has been reported to GitHub.
Disinfection
Neither fake SDA versions reported here appear to implement any persistence, in other words; remove the fake version by deleting it, and perform a scan with your current antivirus and a scan with another, online antivirus, or with Malwarebytes for example.
Now, change your password for Steam, and enable Steam Guard if you have not yet done so.
Prevention
Prevention advise is the usual, extended advise is provided in a previous blog post here.
You may also want to take a look at SteamRep's Safe Trading Practices here.
Conclusion
SteamStealer malware is alive and well, as seen from my January blog post. This is again another form of attempting to scam users, and variations will continue to emerge.
Always download any software from the original source - this means the vendor's website, or in this case, the official SDA repository on GitHub:
https://github.com/Jessecar96/SteamDesktopAuthenticator
Follow the prevention tips above or here to stay safe.
Indicators
The post Fake Steam Desktop Authenticator steals account details appeared first on Security Boulevard.
from Fake Steam Desktop Authenticator steals account details
Steve Sack’s ‘Russian Troll’
via Cagle.com comes this thought-provoking editorial cartoon entitled 'Russian Troll'by the eponymous Steve Sack.
The post Steve Sack’s ‘Russian Troll’ appeared first on Security Boulevard.
from Steve Sack’s ‘Russian Troll’
BSides Leeds 2018, Phill Kimpton’s ‘Soldier To Cyber’
The post BSides Leeds 2018, Phill Kimpton’s ‘Soldier To Cyber’ appeared first on Security Boulevard.
from BSides Leeds 2018, Phill Kimpton’s ‘Soldier To Cyber’
What, Me Worry? Car Data, Where Does It Go…
Where does all of that data gathered by car manfacturers while we drive? Perhaps Jonathan M. Gitlin, reporting for everyone's beloved Ars Technica can fulfill that data request in a speedy manner! Shouldn't the driver/owner of the vehicle make that decision? Enjoy.
The post What, Me Worry? Car Data, Where Does It Go… appeared first on Security Boulevard.
from What, Me Worry? Car Data, Where Does It Go…
Budgeting for Active Directory®: Identity Federation
When looking to acquire Microsoft’s® Active Directory® product, most IT administrators will initially smile. The cost: “free”. Active Directory and domain control services at large are features that may be...
The post Budgeting for Active Directory®: Identity Federation appeared first on JumpCloud.
The post Budgeting for Active Directory®: Identity Federation appeared first on Security Boulevard.
from Budgeting for Active Directory®: Identity Federation
Anatomy of a Russian Information Warfare Campaign
Not only Russia, I would say… Anatomy of a Russian Information Warfare Campaign
The post Anatomy of a Russian Information Warfare Campaign appeared first on Security Boulevard.
from Anatomy of a Russian Information Warfare Campaign
Jeff Koterba’s ‘The Torch of Truth’
Via Cagle Comes This Superb Jeff Koterba Penned Editorial Cartoon Entitled 'The Torch of Truth'
The post Jeff Koterba’s ‘The Torch of Truth’ appeared first on Security Boulevard.
from Jeff Koterba’s ‘The Torch of Truth’
Saturday, February 24, 2018
Long Now Foundation’s ‘Clock of the Long Now – Installation Begins’
The post Long Now Foundation’s ‘Clock of the Long Now – Installation Begins’ appeared first on Security Boulevard.
from Long Now Foundation’s ‘Clock of the Long Now – Installation Begins’
OpenSnitch, The GNU/Linux Port of Application Firewall Little Snitch
News, of the release of OpenSnitch - the GNU/ Linux port of Object Development's much beloved LittleSnitch - a native macOS Application Firewall. As of the date of this post, OpenSnitch is in an Alpha release state, with the caveat: 'Warning: This is still alpha quality software, don't rely on it (yet) for your computer security.' Additional information is available via the OpenSnitch GitHub Readme. H/T
The post OpenSnitch, The GNU/Linux Port of Application Firewall Little Snitch appeared first on Security Boulevard.
from OpenSnitch, The GNU/Linux Port of Application Firewall Little Snitch
Group Policy for Macs
Group Policy for Macs would be a dream come true for IT admins. Group Policy Objects (GPOs) have been a foundational component of system management in Active Directory®. But GPOs...
The post Group Policy for Macs appeared first on JumpCloud.
The post Group Policy for Macs appeared first on Security Boulevard.
from Group Policy for Macs
Friday Squid Blogging: The Symbiotic Relationship Between the Bobtail Squid and a Particular Microbe
This is the story of the Hawaiian bobtail squid and Vibrio fischeri.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Read my blog posting guidelines here.
from Friday Squid Blogging: The Symbiotic Relationship Between the Bobtail Squid and a Particular Microbe
Friday, February 23, 2018
Npm Update Crashes Linux Systems
An update for the popular Npm package manager used by many developers for JavaScript-based projects crashed Linux systems after changing the permissions for critical directories. Linux users who installed npm 5.7.0 released Feb. 21 quickly took to Twitter and GitHub to report that the update broke their filesystems by changing the permissions on critical system..
The post Npm Update Crashes Linux Systems appeared first on Security Boulevard.
from Npm Update Crashes Linux Systems
Friday Squid Blogging: The Symbiotic Relationship Between the Bobtail Squid and a Particular Microbe
This is the story of the Hawaiian bobtail squid and Vibrio fischeri. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here....
The post Friday Squid Blogging: The Symbiotic Relationship Between the Bobtail Squid and a Particular Microbe appeared first on Security Boulevard.
from Friday Squid Blogging: The Symbiotic Relationship Between the Bobtail Squid and a Particular Microbe
Google IdP Replacement
Google has been making a significant push into the modern enterprise. Google isn’t content to be just a search engine provider. Now they also want to be the cloud infrastructure...
The post Google IdP Replacement appeared first on JumpCloud.
The post Google IdP Replacement appeared first on Security Boulevard.
from Google IdP Replacement
VMware Intends to Buy CloudVelox
VMware 3; Cisco 0 <== More on this later. Another brilliant move by VMware as it shifts away from competing cloud to cloud with the likes of AWS and Azure and focuses on areas where it has strategic advantage. Well done! Read the VMware blog post: VMware Announces Intent to Acquire Technology and Team from […]
The post VMware Intends to Buy CloudVelox appeared first on Security Boulevard.
from VMware Intends to Buy CloudVelox